The new technology, which Sony has dubbed "sterile burning," manipulates the Windows core processing center, or "kernel," to make the DRM almost totally undetectable on Windows systems.
These DRM files are almost impossible to remove without fouling Windows systems and could be used by malicious hackers to hide their own programs, according to Mark Russinovich, chief software architect at Winternals Software Inc., a company that makes administrative software tools.
Sony BMG acknowledged that the rootkit-style features are part of DRM technology that began shipping with CDs in 2005, but referred technical questions about the technology to First 4 Internet Ltd., the Banbury, England, firm that developed it.
Russinovich said he discovered the Sony rootkit technology after scanning his own computer with a tool called RootkitRevealer that he developed.
Russinovich, who is an authority on rootkits, said he was shocked by the discovery.
"Given the fact that Im careful in my surfing habits and only install software from reputable sources, I had no idea how Id picked up a real rootkit," he wrote on his blog.
After discovering the program, Russinovich began a detailed analysis of it that turned up the name of First 4 Internet, a UK firm that developed the software for Sony.
Russinovich said he believes that the software was installed on his system by a copy-protected CD of music by Sony BMG artists The Van Zant Brothers that he recently purchased from Amazon.com.
Through a detailed analysis of communication between the media player installed from the Sony CD and the rootkit files, Russinovich was able to determine that the rootkit files were installed with the media player and communicated with it.
Russinovich was reluctant to discuss the details of how the DRM software works, citing fear of prosecution under the DMCA (Digital Millennium Copyright Act). However, he said the rootkit features help enforce the sterile burning limits on copying Sony music files.
A Sony BMG spokesperson said the sterile burning and rootkit technology is intended to act as a "fence" or "speed bump" for users who want to try to go beyond the limit of three copies on the companys DRM-protected music.
Like other so-called "kernel mode" rootkits, the Sony DRM software interacts with the system service table, a core component of the Windows operating system kernel that coordinates the interactions between instructions from different Windows applications and the kernel.
By "hooking" the Windows kernel in this way, kernel mode rootkits can intercept communications between the kernel and the Windows API, filtering or distorting the instructions and information that are sent from the kernel.
For example, the Sony DRM software did not appear in the Windows Explorer or the Windows registry, where information on installed programs can typically be viewed, Russinovich said.